This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author symphorien
Recipients symphorien
Date 2016-12-31.19:00:29
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1483210830.52.0.920210756798.issue29125@psf.upfronthosting.co.za>
In-reply-to
Content
The tkinter.tix module looks for a Tix installation in the directory specified by the TIX_LIBRARY environment variable, but blindly trusts that it is a path in the filesystem. This enables a shell injection :

TIX_LIBRARY='/dev/null}; exec gsimplecal;' python2 -c "from Tix import Tk; Tk()"

or 

TIX_LIBRARY='/dev/null}; exec gsimplecal;' python3 -c "from tkinter.tix import Tk; Tk()"

Python execs gsimplecal, waits on its completion and then raises a tkinter.TclError.

The offending code is here : https://github.com/python/cpython/blob/master/Lib/tkinter/tix.py#L204-L208
History
Date User Action Args
2016-12-31 19:00:30symphoriensetrecipients: + symphorien
2016-12-31 19:00:30symphoriensetmessageid: <1483210830.52.0.920210756798.issue29125@psf.upfronthosting.co.za>
2016-12-31 19:00:30symphorienlinkissue29125 messages
2016-12-31 19:00:29symphoriencreate